4.
For reversing and obtaining binary difference in my demos I would be using DarunGrim2<br /> How DarunGrim works?<br />The schema of DarunGrim is shown in <br /> the figure<br />To generate diffing results<br />Binaries are disassembled in IDA Pro in the<br /> background and darungrim IDA plugin is run<br /> which creates the sqlite database<br />Diffing Engine, the heart of DarunGrim2.<br /> The sqlite db from IDA and the binaries from GUI<br /> are fed into this engine as inputs <br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />

5.
Algorithm ?<br />Main algorithm of DarunGrim is Basic block fingerprint hash map<br />Each basic block is 1 entity whose fingerprint is generated from the instruction sequence<br />Fingerprint hash generated by IDA Pro<br />Two fingerprint hash tables one each for unpatched and patched binary<br />For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match<br />All fingerprints in the original binary hash tables are either matched or unmatched<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />

6.
Algorithm ? Contd..<br />For a function to be called matching, all the basic blocks in the function should be matching<br />For unmatched functions DarunGrim calculates percentage match<br />Match rate based on fingerprint string match<br />Similar to GNU Diff algorithm which is finding longest common subsequence<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />

7.
Vulnerability Vs Exploit based signatures<br /> Exploit signatures<br />Created by using byte string patterns or regular expressions <br />These are exploit specific <br />They are used widely mainly because of the ease of their creation<br />Cater to only one type of input satisfying that vulnerability condition<br />Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail <br />For eg. Exploit based signature<br />ESig = “docx?AAAAAAAAAAA...”<br />It will fail if some exploit uses a long string of B’s instead of A’s<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />

8.
http://null.co.in/<br />http://nullcon.net/<br />Introduction<br /> Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures<br />Based on the properties of the vulnerability and not on the properties of the exploit<br />It is a superset of all the inputs satisfying a particular vulnerability condition<br />For eg. Vulnerability based signature for previous case<br />VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)<br />Matches string in buffer with the regex<br />It is effective against any alphabet unlike exploit signature<br />Vulnerability<br />Signature<br />Exploit Signature<br />

9.
Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures contd..<br />For a good vulnerability signature<br />It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.<br />It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.<br />The signature matching time should not create a considerable delay for the software and services.<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />

10.
The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.<br />To verify if the patch released by Microsoft is working as per it is designed.<br />To create vulnerability based signatures.<br />http://null.co.in/<br />http://nullcon.net/<br />Need<br />

12.
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Pick a vulnerability and download its patch<br />Pick a vulnerability just before this one that patched the same program or dll<br />If unavailable, use the same dll from your system<br />Process<br />Quick-fix<br />Use open source ms-patch-tools to easily get the file versions to compare<br />Problem<br /><ul><li>GDR or QFE/LDR ??

16.
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />DarunGrim v2 used for binary difference<br />Feed in the two binaries to be compared<br />Generates a list of functions with the %age match between the two files <br />Process<br />Problem<br /><ul><li>Not every function %age < 100 is changed

18.
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Manual inspection of functions with less than 100% match<br />Remove false positives generated by problems like<br />Instruction reordering<br />Lot of reordering happening over different releases marks even the same blocks as unmatched<br />Split blocks<br />Block in the graph which has only parent and the parent has only one child leads to a split block.<br />causing a problem in the matching process<br />Can be improved by merging the two blocks and treating as a single block.<br />

19.
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Hot patching<br />Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block<br />By just ignoring the instruction we can get a match<br />Compiler optimizations <br />Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference<br />Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched<br />

24.
Conclusion<br />Presented an overview of how the 1-day exploits and Vulnerability signatures can be created<br />Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process<br />Only talked about Microsoft patches but concept not limited to this.<br />Concepts presented can be perfected by interested audience <br />http://null.co.in/<br />http://nullcon.net/<br />